Unleashing the Power of Nishang: A Deep Dive into Windows Post-Exploitation

Nishang, crafted by the skilled Nikhil Mittal, stands as a robust framework designed for post-exploitation tasks on Windows systems. This powerful toolkit comprises a suite of PowerShell scripts, each tailored to streamline various post-exploitation activities such as port scanning, information gathering, privilege escalation, credential harvesting, and establishing backdoors. One of Nishang’s standout features is its ability to run on Windows without installation, leveraging the built-in PowerShell component. Moreover, these scripts operate in memory, leaving minimal traces on the disk, making them a stealthy choice for security professionals.

Malware Analysis with Prasadhak

Among the array of scripts in Nishang, Prasadhak emerges as a potent tool for malware analysis. This script generates MD5 hash values for each running process on a machine and cross-references them with the VirusTotal database to pinpoint potential malware. This method proves invaluable during penetration testing, enabling testers to detect malicious software without the need for additional antivirus applications.

To harness Prasadhak effectively, you’ll need a VirusTotal account and an API key. This key serves as a parameter within the script, facilitating the comparison of hash values. Upon finding a match, the script displays a warning message along with a link to the VirusTotal analysis report for further scrutiny.

Network Scanning and Brute Force Attacks

Upon gaining access to a machine, the initial phase of post-exploitation involves identifying other accessible machines and their open ports. Nishang equips you with two pivotal scripts for this purpose: Invoke-BruteForce and Invoke-PortScan.

Invoke-BruteForce

Invoke-BruteForce is a script engineered to execute brute force attacks on a variety of services, including SQL Server, Active Directory, local accounts, Web, and FTP services. The script accommodates several parameters:

ComputerName: Designates the target machine’s name or IP address.
UserList: Path to the file housing the list of usernames to be tested.
PasswordList: Path to the file containing the list of passwords to be tested.
Service: Specifies the service to be targeted.
StopOnSuccess: Halts the attack once a valid username and password combination is discovered.
Delay: Introduces a delay between attempts to evade detection.

Invoke-PortScan

Invoke-PortScan is employed to identify live hosts and perform port scanning on target machines. The script utilizes the following parameters:

StartAddress: Specifies the starting IP address for the scan.
EndAddress: Specifies the ending IP address for the scan.
ResolveHost: Resolves the hostnames of the identified live hosts.
ScanPort: Specifies the ports to be scanned. By default, the script scans a comprehensive list of commonly used ports.
Port: Allows the user to specify custom ports for scanning.

Establishing Reverse Shells

Once a machine is compromised, an attacker may seek to establish a reverse shell to maintain access and perform further exploitation. Nishang offers several methods to accomplish this:

Invoke-JSRatRegsvr: This script employs the regsvr32.exe application to establish a reverse shell over HTTP. By specifying the attacker’s IP address and port, the script generates a command that downloads and executes a malicious script, resulting in a reverse shell connection.
Invoke-JSRatRundll: Similar to Invoke-JSRatRegsvr, this script uses the rundll32.exe application to establish a reverse shell. It follows a comparable process of downloading and executing a malicious script to achieve the reverse shell.
Invoke-PoshRatHttp: This script establishes a reverse shell over HTTP by creating a listening mode on the attacker’s machine. When the victim machine sends a request to the specified URL, a reverse shell session is established.
Invoke-PoshRatHttps: This script mirrors Invoke-PoshRatHttp but uses HTTPS for encrypted communication. It necessitates an SSL certificate on the attacker’s machine to establish a secure reverse shell session.
Invoke-PowerShellIcmp: This script uses the ICMP protocol to establish a reverse PowerShell connection. Since ICMP is often permitted through firewalls, this method can be particularly effective in bypassing security measures.